Apache Week
   
   Issue 248, 25th May 2001:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Under Development

This week saw the public release of Apache 1.3.20, and the release for testing of Apache 2.0.18. It seems likely that the Apache 2.0.18 tarball will be released as "alpha"-level code, due to problems on some Linux platforms, and a mod_dav configuration issue.

The debate over the future of mod_proxy in Apache 2.0 continues and sees no sign of resolution. In February of this year, the mod_proxy code from the Apache 2.0 repository was moved into a separate CVS tree to allow independent development to continue without affecting the stability of the core server code. One option that has been discussed is for the mod_proxy team to distribute an tarball bundling both the core Apache code and the proxy code.


Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

The Developer Shed presents step-by-step instructions for building Apache, MySQL, WebDAV and PHP on Mac OS X. All these programs compile and run on Mac OS X due to its BSD-based UNIX core known as Darwin. To avoid confusion, the Apache Web server built is not enhanced with mod_ssl.

PHP programmers may be interested in creating a spell checking tool and setting up an event calendar using PHP. The former shows you how to create a single class that allows you to manage multiple dictionaries and check the spelling of any word quickly and effectively. The second article covers the development of a calendar system that inserts and retrieves relevant event information from a MySQL database.


Apache 1.3.20 Released

Apache 1.3.20 was released on 22nd May 2001 and is now the latest version of the Apache server. The previous release was 1.3.19, released on the 28th February 2001. See what was new in Apache 1.3.19.

Apache 1.3.20 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a bug fix and minor upgrade release, with a few new features. Users should upgrade if they have noticed particular bugs mentioned below or would like to use any of the new features. The significant overhaul to the the Apache Bench program, ab, which we reported on in April were not included in this release due to some portability problems.

Due to security issues, any sites using versions prior to Apache 1.3.14 on Unix, or all versions on Windows or OS2, should upgrade as soon as possible.

Security vulnerabilities

  • A vulnerability was found in the Win32 and OS2 ports of Apache 1.3. A client submitting a carefully constructed URI could cause a General Protection Fault in a child process, bringing up a message box which would have to be cleared by the operator to resume operation. This vulnerability introduced no identified means to compromise the server other than introducing a possible denial of service.

New features

The main new features in 1.3.20 (compared to 1.3.19) are:

  • Enhanced rotatelogs functionality to allow the logfile name to include customisable date stamps (using the standard strftime syntax) as well as the ability to specify the time offset from UTC
  • A new flag, NOESCAPE (NS) can be used in RewriteRule directives to disable all normal URI escaping. Use this flag with caution as it is easy to introduce security risks.

Selected new features that relate to Windows platforms:

  • Integration of support for the Cygwin platform. Cygwin is a Unix emulation layer for Windows.
  • The apxs tool, used to aid building modules for Apache, can now be used on Windows platforms.

Selected new features relating to other platforms:

  • EBCDIC support has been overhauled and is now configurable. EBCDIC support is needed for platforms such as Fujitsu-Siemens' BS2000, the IBM OS/390, and IBM TPF operating systems.
  • Various changes for Apache on NetWare including the ability to shutdown cleanly, properly displaying error and warning messages, and increasing the hard server limit as NetWare is able to handle a large number of service request threads. Directory indexes on NetWare will now also include "." and ".." entries.

Bugs fixed

The following bugs were found in Apache 1.3.19 and have been fixed in Apache 1.3.20

  • mod_proxy is now able to pass on empty HTTP headers. These were previously stripped.
  • Fix a possible segfault at startup when no ServerName is specified
  • Fix a possible segfault on some platforms if an invalid floating point value is passed to an internal routine
  • Properly resolve the location of the ndbm library on Linux and some glibc2 builds, where headers are not in the standard locations. This affected builds on Red Hat Linux 7 and SuSe 7. PR#6929
  • For server-side includes on Windows, properly handle the exec tag.
  • Fix a potentially serious threading problem with Windows NT and Windows 2000 services. Modules such as mod_jserv and mod_perl will not be able to shut down cleanly.
  • On Windows fix a bug which could cause messages such as "dup2(stdin) failed" when using piped logs.

Comments or criticisms? Please email us at editors@apacheweek.com